b'         Audit Report\n\n\n\n\n   OIG-06-033\n\n   FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of\n   OFAC Compliance Was Hampered by Limited Documentation\n\n   July 31, 2006\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c\x0cContents\n\n\nAudit Report...............................................................................................       1\n\n    Results in Brief.................................................................. \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                   2\n\n    Background ...................................................................... \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                    3\n\n    Audit Results .......................\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                  6\n\n    Recommendations .....................................................................................       10\n\nAppendices\n\n    Appendix 1:          Objective, Scope, and Methodology ......................................               12\n    Appendix 2           Major Contributors to This Report .........................................            14\n    Appendix 3:          Bank Secrecy Act/Anti-Money Laundering Examination Manual\n                         Excerpt/Core Examination Procedures ...................................                15\n    Appendix 4:          Management Response .......................................................            18\n    Appendix 5:          Report Distribution..............................................................      20\n\nAbbreviations\n\n    AML                  Anti-Money Laundering\n    BSA                  Bank Secrecy Act\n    FFIEC                Federal Financial Institutions Examination Council\n    OCC                  Office of the Comptroller of the Currency\n    OFAC                 Office of Foreign Assets Control\n    OIG                  Office of Inspector General\n\n\n\n\n                         FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n                         Was Hampered by Limited Documentation (OIG-06-033)                                   Page i\n\x0c        This page intentionally left blank.\n\n\n\n\nFOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\nWas Hampered by Limited Documentation (OIG-06-033)                     Page ii\n\x0c                                                                                     Audit\nOIG\nThe Department of the Treasury\n                                                                                     Report\nOffice of Inspector General\n\n\n\n\n               July 31, 2006\n\n               John C. Dugan\n               Comptroller\n               Office of the Comptroller of the Currency\n\n               As a follow-up to a previous OIG report,1 we conducted an audit of the\n               Office of Foreign Assets Control\xe2\x80\x99s (OFAC) administration and\n               enforcement of economic sanctions against targeted foreign countries,\n               individuals, and groups. OFAC acts under presidential wartime and\n               national emergency powers, as well as authority granted by specific\n               legislation, to impose controls on transactions and freeze foreign assets\n               under U.S. jurisdiction. OFAC sanctions are enforced largely by financial\n               institutions. Because OFAC is legally limited in its ability to monitor\n               financial institutions\xe2\x80\x99 compliance with foreign sanction requirements,2 it\n               depends on financial institution regulators, such as the Office of the\n               Comptroller of the Currency (OCC), to ensure that financial institutions\n               comply with OFAC requirements. Accordingly, as part of our audit, we\n               tested regulatory oversight of OFAC compliance for a sample of financial\n               institutions to determine whether OFAC\xe2\x80\x99s foreign sanctions programs\n               were being effectively administered. This report presents the results of\n               our review of OCC compliance examinations.\n\n               We conducted our audit from March 2005 to April 2006 in accordance\n               with generally accepted government auditing standards. A more detailed\n               description of our objective, scope and methodology is included in\n               appendix 1.\n\n1\n  FOREIGN ASSETS CONTROL: OFAC\xe2\x80\x99s Ability to Monitor Financial Institution Compliance Is Limited\nDue to Legislative Impairments (OIG-02-082, April 26, 2002).\n2\n   Section 3412 (d) of the Right to Financial Privacy Act (12 U.S.C. 3401) allows supervisory agencies\nto exchange examination information with other supervisory agencies. OFAC is not included in this\nAct\xe2\x80\x99s list of supervisory agencies [\xc2\xa7 3401(7)].\n\n\n\n\n                      FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n                      Was Hampered by Limited Documentation (OIG-06-033)                     Page 1\n\x0cResults In Brief\n               OCC\xe2\x80\x99s examination work papers did not provide assurance that banks\n               were adequately reviewing or effectively administering OFAC\xe2\x80\x99s sanctions\n               programs. From a sample of 18 OCC examinations conducted in fiscal\n               years 2002 through 2005, we found, for every examination, one or more\n               instances in which documentation was insufficient to verify that\n               examiners adequately assessed OFAC program compliance. Specifically,\n               the OCC examination work papers did not always contain sufficient\n               documentation to demonstrate that examiners fully assessed\n                           \xe2\x80\xa2   bank policies and procedures for its OFAC compliance\n                               program,\n                           \xe2\x80\xa2   bank comparisons of its accounts with OFAC listings,\n                           \xe2\x80\xa2   correspondence between the bank and OFAC, and\n                           \xe2\x80\xa2   results of internal bank audits for possible OFAC program\n                               concerns.\n               OCC\xe2\x80\x99s policy on supervisory work papers states that examiners should\n               generate and retain only those documents necessary to support the scope\n               of supervisory activity, significant conclusions, rating changes, or\n               changes in risk profile. We believe, however, that this policy makes it\n               difficult to assess the adequacy of the review and creates inconsistency\n               in how program results are documented. Guidelines recently issued by the\n               Federal Financial Institutions Examination Council (FFIEC)3 should help\n               ensure the consistency of examination coverage.\n\n               We are making recommendations to OCC to ensure that (1) the current\n               OCC guidelines for OFAC compliance examinations incorporate the\n               policies and procedures contained in the FFIEC BSA/AML Examination\n               Manual and (2) examiners sufficiently and consistently document the\n               work performed so that an independent reviewer can clearly see which\n3\n  FFIEC, established under title X of the Financial Institutions Regulatory and Interest Rate Control Act\nof 1978, is a formal interagency body empowered to prescribe uniform principles, standards, and report\nforms for the examination of financial institutions by federal regulators. The members of FFIEC, in\naddition to OCC, are the Office of Thrift Supervision, the Federal Deposit Insurance Corporation, the\nBoard of Governors of the Federal Reserve System, and the National Credit Union Administration.\n\n\n\n\n                       FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n                       Was Hampered by Limited Documentation (OIG-06-033)                     Page 2\n\x0c        procedures were performed and ascertain the basis for all significant\n        conclusions, including changes to regulatory ratings and risk profiles.\n\n        OCC concurred with our recommendations. OCC has replaced its OFAC\n        compliance examination procedures with the FFIEC Bank Secrecy\n        Act/Anti-Money Laundering Examination Manual. OCC also intends to\n        reinforce its documentation expectations with examining staff.\n\n        In OCC\xe2\x80\x99s response to our draft report, the Comptroller stated that OCC\n        has taken major steps, individually, and as part of interagency initiatives\n        to enhance BSA/AML processes, including OFAC compliance, in the past\n        several years. He also said he is committed to these goals and personally\n        directed further enhancements to these processes in the fall of 2005.\n\n\nBackground\n        OFAC\xe2\x80\x99s Mission and Sanctions Programs\n\n        The mission of OFAC, an office within the Department of the Treasury, is\n        to administer and enforce economic and trade sanctions, based on U.S.\n        foreign policy and national security goals, against targeted foreign\n        countries, terrorists, international narcotics traffickers, and those engaged\n        in activities related to the proliferation of weapons of mass destruction.\n        All U.S. persons, including U.S. banks, bank holding companies, and\n        nonbank subsidiaries must comply with OFAC regulations.\n\n        OFAC regulations involve blocking accounts and other assets of the\n        specified countries, entities, and individuals and rejecting financial\n        transactions with specified countries, entities, and individuals. If financial\n        institutions fail to block or reject prohibited transactions, OFAC has the\n        authority to impose civil monetary penalties against them.\n\n        OFAC sanctions can reach into virtually all areas of banking operations.\n        Therefore, banks need to consider all types of transactions, products, and\n        services when they conduct risk assessments and establish appropriate\n        policies and procedures.\n\n\n\n\n              FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n              Was Hampered by Limited Documentation (OIG-06-033)                     Page 3\n\x0c               OCC Role in Ensuring Banks\xe2\x80\x99 Compliance with OFAC Regulations\n\n               The mission of OCC, which charters, regulates, and supervises all U.S.\n               national banks, is to ensure a stable and competitive national banking\n               system. OCC has the authority to examine banks and take supervisory\n               actions against banks that do not comply with laws and regulations or\n               that otherwise engage in unsound banking practices. As of\n               September 30, 2005, OCC was responsible for regulating and supervising\n               1,933 national banks and 51 federal branches of foreign banks in the\n               United States. National banks, as of June 30, 2005, held 67 percent\n               ($5.8 trillion) of the total assets of all U.S. commercial banks.\n\n               It is OCC\xe2\x80\x99s responsibility to ensure that national banks comply with OFAC\n               regulations. However, none of the laws that authorize sanctions for OFAC\n               violations contain specific language that delegates administrative\n               enforcement responsibility to any of the financial institution regulatory\n               agencies, including OCC. Consequently, OCC\xe2\x80\x99s OFAC enforcement\n               responsibilities fall under its general examination responsibility to ensure\n               that banks are following applicable laws and regulations.\n\n               OCC Examination Procedures for OFAC Compliance\n\n               In September 2000, OCC issued the Bank Secrecy Act/Anti-Money\n               Laundering Comptroller\xe2\x80\x99s Handbook, which contains procedures for\n               reviewing and assessing banks\xe2\x80\x99 OFAC compliance. According to the\n               handbook, examiners should do the following:\n\n                       \xe2\x80\xa2   Review all OFAC-related correspondence\n                       \xe2\x80\xa2   Evaluate banks\xe2\x80\x99 OFAC policies and procedures\n                       \xe2\x80\xa2   Examine internal audits reports and management reviews\n                           involving OFAC compliance\n                       \xe2\x80\xa2   Verify that banks maintained a current and valid OFAC list4\n\n\n\n4\n OFAC periodically publishes a Specially Designated Nationals and Blocked Persons list of individuals\nand companies owned or controlled by, or acting for or on behalf, of targeted countries. The list also\ncontains individuals, groups, and entities, such as terrorists and drug traffickers.\n\n\n\n\n                       FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n                       Was Hampered by Limited Documentation (OIG-06-033)                     Page 4\n\x0c                      \xe2\x80\xa2   Determine whether banks have procedures to ensure that new\n                          and existing accounts and transactions are compared with the\n                          OFAC list.\n\n               OCC Policies and Procedures Manual\n\n               The Bank Supervision section of the OCC Policies and Procedures Manual,\n               dated October 23, 2002, addresses supervision work papers and states\n               that the level of detail in work papers should be commensurate with the\n               risks facing the institution. In most cases, the work papers need not\n               include all of the data reviewed. Instead, the examiner should generate\n               and retain only documents necessary to support the scope, significant\n               conclusions, rating changes, or changes in a risk profile. Work papers do\n               not typically need to address every objective and procedural step.\n\n               FFIEC Core Examination Procedures for OFAC Compliance\n\n               In June 2005, FFIEC released the Bank Secrecy Act/Anti-Money\n               Laundering Examination Manual (BSA/AML Examination Manual). The\n               manual includes core procedures for examiners to use to determine\n               whether financial institutions are in compliance with OFAC sanctions\n               programs. (See appendix 3.) According to the BSA/AML Examination\n               Manual, financial institutions should use a risk-based approach when\n               considering the likelihood of encountering possible OFAC violations.\n\n               The BSA/AML Examination Manual also states that transaction testing5 is\n               a requirement to be accomplished as part of each examination. However,\n               examiners are to use transactional testing in high risk areas identified in\n               the bank\xe2\x80\x99s risk assessment. If OFAC is deemed a high risk area, the\n5\n  As provided in the BSA/AML Examination Manual, examiners perform transaction testing to evaluate\nthe adequacy of the bank\xe2\x80\x99s compliance with regulatory requirements, determine the effectiveness of its\npolicies, procedures, and processes, and evaluate suspicious activity monitoring systems. Transaction\ntesting, the manual states, is an important factor in forming conclusions about the integrity of the\nbank\xe2\x80\x99s overall controls and risk management processes and must be performed at each examination.\nThe extent of transaction testing and activities where it is performed is based on various factors,\nincluding the examiner\xe2\x80\x99s judgment of risks, controls, and the adequacy of the independent testing by\nthe bank\xe2\x80\x99s internal audit function. Once the examiner is on-site, the scope of the transaction testing\ncan be expanded to address any issues or concerns identified during the examination.\n\n\n\n\n                      FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n                      Was Hampered by Limited Documentation (OIG-06-033)                     Page 5\n\x0c         examiners may choose to use transaction testing to evaluate the bank\xe2\x80\x99s\n         handling of new and established accounts, the effectiveness of interdict\n         software if used, the handling of blocked transactions, or the resolution\n         of false hits.\n\nAudit Results\n         OCC\xe2\x80\x99s examination work papers lacked sufficient documentation to\n         assure that banks were adequately reviewing or administering OFAC\n         sanctions programs. Our review of fiscal years 2002-5 examination\n         results for the 18 banks revealed instances of inadequate documentation\n         for significant examination steps. The following table summarizes the\n         results of our review:\n\n         Table 1: Examinations Conducted in Fiscal Years 2002-5 with Insufficient\n                  Documentation\n\n          Examination\n            .         Step                                             Number of Examinations\n\n          Assessment of policies and procedures                                           16\n          Assessment of effectiveness of bank\n                                                                                          13\n          comparisons to OFAC list\n          Review of OFAC correspondence                                                   11\n          Review of internal bank audit results                                            9\n            Source: OIG analysis\n\n\n         For one examination, OCC did not provide any work papers to support the\n         examination\xe2\x80\x99s findings.\n\n         Our efforts to evaluate and verify the examiners\xe2\x80\x99 conclusions were\n         hampered by the lack of documentation. If examiners conclude that an\n         institution is OFAC-compliant, OCC does not require that documentation\n         covering all objectives and procedures as well as copies of bank policy\n         documents be maintained and available to support their conclusions. As a\n         result, documentation is often not available to allow an external reviewer\n         to verify and assess the examiner\xe2\x80\x99s conclusions. OCC management\n         prefers that OCC resources be used to document and address conditions\n         that result in noncompliance.\n\n\n\n\n                FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n                Was Hampered by Limited Documentation (OIG-06-033)                     Page 6\n\x0cDescription of Our Review\n\nTo assess OCC examinations of banks\xe2\x80\x99 compliance with OFAC\nregulations, we selected a sample of 18 bank examinations that OCC\nconducted in fiscal years 2002 through 2005. For our sample, we\nselected 3 banks that had prior OFAC violations \xe2\x80\x93 OFAC had imposed\ncivil monetary penalties against 2 of these banks and issued a warning\nletter to the third.\n\nThe remaining 15 banks were selected from a stratified sample of banks\nbased on asset size and distributed among the 4 OCC districts (western,\ncentral, southern, and northeastern). In total, we selected 3 large banks\n(assets from $25 billion to $999 billion), 5 medium banks (assets from $1\nbillion to $25 billion), and 10 small banks (assets from $1 million to\n$1 billion). We included 3 banks each from New York, California, and\nTexas as well as 2 banks each in Illinois and Missouri. The remaining 6\nbanks were located in New Jersey, Florida, Colorado, Indiana, and West\nVirginia.\n\nFor each of the 18 banks in our sample, we requested copies of the most\nrecent OFAC compliance examination work papers. In addition, we\nrequested copies of all documentation that may have affected the scope\nof the OFAC reviews.\n\nBanks\xe2\x80\x99 Policies and Procedures for Determining OFAC Compliance Were\nNot Always Documented\n\nBanks should have policies and procedures to ensure OFAC program\ncompliance. For 16 of 18 examinations, OCC examiners reported that\nOFAC compliance was satisfactory, but we were unable either to confirm\nthat the policies and procedures existed or to validate the examiners\xe2\x80\x99\nsummaries and conclusions. For 2 examinations, copies of the policies\nand procedures were in the examination work papers. OCC officials\nindicated that examiners need not maintain copies of a bank\xe2\x80\x99s policies\nand procedures and that it is considered sufficient to review them on-site.\n\n\n\n\n      FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n      Was Hampered by Limited Documentation (OIG-06-033)                     Page 7\n\x0cOCC Examinations Lacked Evidence of Assessment of the Effectiveness\nof Bank Comparisons to OFAC List\n\nIn assessing banks\xe2\x80\x99 compliance with OFAC, OCC examiners generally\nnote in their work papers the method a banks uses to compare accounts\nand transactions to OFAC lists of countries, entities, and individuals\nwhose accounts, assets, or transactions are to be blocked or frozen. OCC\nexaminers indicated that 13 of the 18 banks used OFAC interdict\nsoftware to conduct their comparisons, but we did not find any evidence\nthat examiners had assessed whether the software was effective or had\nbeen updated to include the most recent changes to the OFAC list.\n\nFor 2 of the other 5 banks, the examination work papers indicated that\nthe banks compared accounts and transactions to the OFAC list\nmanually. However, the work papers did not document whether the\nexaminers determined if the banks\xe2\x80\x99 manual procedures were effective. For\nthe remaining 3 banks, the examination work papers did not specify how\ncomparisons were done.\n\nWe also evaluated whether OCC examiners verified that the banks\ncompared accounts with the OFAC list. In 3 of the 18 examinations,\nthere was no evidence that the examiners completed this procedure.\n\nExaminers Did Not Always Document Reviews of OFAC-Related\nCorrespondence\n\nOne of the initial procedures OCC examiners perform in examining banks\xe2\x80\x99\ncompliance with OFAC is to review any OFAC-related correspondence\nspecific to the bank under examination. In 10 of the 18 examinations,\nOCC examiners did not document whether they conducted such a review.\nIn 1 examination, the examiner indicated that the correspondence review\nwas not conducted.\n\nFor the remaining 7 banks, the examiners documented their examination\nresults. Five banks did not have any OFAC-related correspondence to\nreview, while 2 banks had copies of issued OFAC penalties and warning\nletters.\n\n\n\n\n      FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n      Was Hampered by Limited Documentation (OIG-06-033)                     Page 8\n\x0cExaminers Did Not Always Document Reviews of Internal Audit Reports\n\nOCC examiners review banks\xe2\x80\x99 internal audit reports to determine whether\nbanks have addressed any weaknesses identified in their OFAC\ncompliance program reviews. Examiners\xe2\x80\x99 work papers for 9 of the 18\nexaminations contained insufficient evidence for us to determine whether\nthe bank conducted internal audits that included a review of OFAC\ncompliance. In 7 of these examinations, the banks conducted internal\naudits, but the OCC examiner did not document whether OFAC\ncompliance was included in the scope of the audits. In the remaining 2\nexaminations, the examiners made no reference as to whether the bank\nhad performed any type of internal audit or independent review.\n\nConclusions\n\nThe FFIEC BSA/AML Examination Manual provides guidance for ensuring\nthat OFAC compliance examinations are uniform, comprehensive, and\nbased on valid risk assessments. According to the manual, financial\ninstitution regulators such as OCC are to examine financial institutions to\ndetermine the adequacy of each institution\xe2\x80\x99s OFAC program and the\neffectiveness of its risk management. The examiners are to use the\nmanual\xe2\x80\x99s appendix M, \xe2\x80\x9cQuantity of Risk Matrix\xe2\x80\x94OFAC Procedures,\xe2\x80\x9d to\nhelp determine the OFAC risk level of the institution under review. Based\non their determination of risk from this matrix, as well as a review of prior\nexamination reports and internal audit findings for the institution, the\nexaminers are to select which policies and procedures to verify. We\nbelieve this process should be documented.\n\nIn a November 14, 2005, letter to the chairman of the Senate Committee\non Banking, Housing and Urban Affairs, the Comptroller of the Currency\nindicated that OCC would change its supervisory process to address the\nincreasing risk associated with BSA/AML compliance. Specifically, OCC\nwould strengthen its BSA/AML examinations through (1) enhanced risk\nmanagement; (2) application of the uniform examination procedures set\nforth in the BSA/AML Examination Manual, including mandatory\ntransaction testing; and (3) timely and effective follow-up.\n\nThe Manual identifies the OFAC-related information that should be\nrequested by the examiners in preparing for the examination. In addition,\n\n\n\n\n      FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n      Was Hampered by Limited Documentation (OIG-06-033)                     Page 9\n\x0c       the numerous examination procedures and the options available for\n       transaction testing will necessitate that examiners exercise care in\n       choosing appropriate procedures and transactions for testing. To ensure\n       that the results of OFAC examinations are valid and reliable, examiners\n       will need to identify the documentation reviewed and the work\n       performed. The basis for significant conclusions reached should be\n       sufficient to satisfy an independent reviewer.\n\n\nRecommendations\n       We recommend that the Comptroller of the Currency do the following:\n\n       1. Ensure that the current OCC guidelines for OFAC compliance\n          examinations incorporate the policies and procedures contained in the\n          FFIEC BSA/AML Examination Manual.\n\n       2. Ensure examiners sufficiently and consistently document work\n          performed so that an independent reviewer can clearly see which\n          procedures were performed and ascertain the basis for all significant\n          conclusions, including changes to regulatory ratings and risk profiles.\n\n       Management Response\n\n       OCC concurred with the first recommendation and reported that, as of\n       June 2005, the FFIEC \xe2\x80\x9cBank Secrecy Act/Anti-Money Laundering\n       Examination Manual\xe2\x80\x9d has replaced the OCC-specific examination\n       procedures for OFAC compliance. OCC agreed with the second\n       recommendation and believes it is consistent with its current policy\n       regarding work papers. OCC concluded that the level of exceptions noted\n       in our audit report points to a need for improvement in practice. OCC will\n       reinforce its expectations in this regard with examination staff.\n\n       OIG Comments\n\n       We believe that the actions OCC states in its response, if implemented as\n       described, address the intent of our recommendations.\n\n\n\n\n             FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n             Was Hampered by Limited Documentation (OIG-06-033)                    Page 10\n\x0c                                  ******\n\nWe would like to extend our appreciation to OCC personnel for the\ncooperation and courtesies extended to our staff during the reviews. If\nyou have any questions, please contact me at (617) 223-8640.\n\n\n/s/\nDonald P. Benson\nDirector\n\n\n\n\n      FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n      Was Hampered by Limited Documentation (OIG-06-033)                    Page 11\n\x0cAppendix 1\nObjective, Scope, and Methodology\n\n\n\n\nOur objective was to determine the effectiveness of OCC\nexamination efforts to ensure financial institution compliance with\nOFAC requirements. This audit was performed in conjunction with\nan audit of OFAC\xe2\x80\x99s administration and enforcement of economic\nsanctions against targeted foreign countries, individuals, and\ngroups. Because OFAC is legally limited in its ability to monitor\nfinancial institutions\xe2\x80\x99 compliance with foreign sanction\nrequirements, OFAC depends on financial institution regulators,\nsuch as the OCC, to ensure that the institutions comply with OFAC\nrequirements.\n\nWe reviewed OCC work papers to determine whether the\nexaminers followed the examination guidelines in the OCC Bank\nSecrecy Act/Anti-Money Laundering Comptroller\xe2\x80\x99s Handbook. The\nreview focused on how OCC examiners identified each institution\xe2\x80\x99s\nOFAC policies and procedures and addressed the risks associated\nwith ensuring OFAC compliance.\n\nWe judgmentally selected a sample of 18 banks, using asset size\nand geographic location as our main criteria. The sample\nexaminations were conducted in fiscal years 2002 through 2005.\nOur sample included 3 banks that OFAC had reviewed for sanction\nviolations. OFAC imposed civil monetary penalties against 2 of\nthese banks and issued a warning letter to the third bank.\n\nWe requested copies of the most recent examination work papers\nand copies of all documentation that may have affected the scope\nof the OFAC reviews. The examination records were compiled by\nthe OCC onto a computer CD ROM and were reviewed at our\noffice. Because the work paper documentation appeared limited for\nsome of the sampled examinations, we reconfirmed with the OCC\naudit liaison that the documentation provided represented all of the\nexamination documentation that was available.\n\nWe also compared the OFAC compliance guidance in OCC\xe2\x80\x99s\nSeptember 2000 Bank Secrecy Act/Anti-Money Laundering\nComptroller\xe2\x80\x99s Handbook with FFIEC\xe2\x80\x99s June 2005 Bank Secrecy\nAct/Anti-Money Laundering Examination Manual.\n\n\n\n\nFOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\nWas Hampered by Limited Documentation (OIG-06-033)                    Page 12\n\x0cAppendix 1\nObjective, Scope, and Methodology\n\n\nWe conducted our audit from March 2005 to April 2006 in\naccordance with generally accepted government auditing\nstandards.\n\n\n\n\nFOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\nWas Hampered by Limited Documentation (OIG-06-033)                    Page 13\n\x0cAppendix 2\nMajor Contributors to This Report\n\n\nStephen Syriala, Audit Manager\nThomas Mason, Auditor-In-Charge\nEsther Tepper, Communications Analyst\nHorace Bryan, Referencer\n\n\n\n\nFOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\nWas Hampered by Limited Documentation (OIG-06-033)                    Page 14\n\x0cAppendix 3\nBank Secrecy Act/Anti-Money Laundering Examination Manual Excerpt\nCore Examination Procedures\n\n\n\nObjective\n\nAssess the bank\xe2\x80\x99s risk-based Office of Foreign Assets Control\n(OFAC) program to evaluate whether it is appropriate for the\nbank\xe2\x80\x99s OFAC risk, taking into consideration its products, services,\ncustomers, transactions, and geographic locations.\n\nProcedures\n\n1. Determine whether the board of directors and senior\n   management of the bank have developed polices, procedures,\n   and processes based on their risk assessment to ensure\n   compliance with OFAC laws and regulations.\n\n2. Regarding the risk assessment, review the bank\xe2\x80\x99s OFAC\n   program. Consider the following:\n\n\xe2\x80\xa2   The extent of, and method for, conducting OFAC searches of\n    each relevant department/business line (e.g., automated clearing\n    house (ACH), monetary instruction sales, check cashing, trusts,\n    loans, deposits, and investments) as the process may vary from\n    one department or business line to another.\n\xe2\x80\xa2   The extent of, and method for, conducting OFAC searches of\n    account parties other than accountholders, which may include\n    beneficiaries, guarantors, principals, beneficial owners, nominee\n    shareholders, directors, signatories, and power of attorney.\n\xe2\x80\xa2   How responsibility for OFAC is assigned.\n\xe2\x80\xa2   Timeless of obtaining and updating OFAC lists or filtering\n    criteria.\n\xe2\x80\xa2   The appropriateness of the filtering criteria used by the bank to\n    reasonably identify OFAC matches (e.g., the extent to which\n    the filtering/search criteria includes misspelling and name\n    derivations).\n\xe2\x80\xa2   The process used to investigate potential matches.\n\xe2\x80\xa2   The process used to block and reject transactions.\n\xe2\x80\xa2   The process used to inform management of blocked or rejected\n    transactions.\n\xe2\x80\xa2   The adequacy and timeliness of reports to OFAC.\n\xe2\x80\xa2   The process to manage blocked accounts (such accounts are\n    reported to OFAC and pay a commercially reasonable rate of\n    interest).\n\n\nFOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\nWas Hampered by Limited Documentation (OIG-06-033)                    Page 15\n\x0cAppendix 3\nBank Secrecy Act/Anti-Money Laundering Examination Manual Excerpt\nCore Examination Procedures\n\n\n\n\xe2\x80\xa2   The record retention requirements (i.e., five year requirement to\n    retain relevant OFAC records; for blocked property, record\n    retention for as long as blocked; once unblocked, records must\n    be maintained for five years).\n\n3. Determine the adequacy of independent testing (audit) and\n   follow-up procedures.\n\n4. Review the adequacy of the bank\xe2\x80\x99s OFAC training program\n   based on the bank\xe2\x80\x99s OFAC risk assessments.\n\n5. Determine whether the bank has adequately addressed\n   weaknesses or deficiencies identified by OFAC, auditors or\n   regulators.\n\nTransaction Testing\n\n6. On the basis of a bank\xe2\x80\x99s risk assessment, prior examination\n   reports, and a review of the bank\xe2\x80\x99s audit findings, select the\n   following samples to test the bank\xe2\x80\x99s OFAC program for\n   adequacy, as follows:\n\n\xe2\x80\xa2   Sample new accounts (e.g., deposits, loan, trust, safe deposit,\n    investments, credit cards, and foreign office accounts,) and\n    evaluate the filtering process used to search the OFAC database\n    (e.g., the timing of the search), and documentation maintained\n    evidencing the searches.\n\n\xe2\x80\xa2   Sample appropriate transactions that may not be related to an\n    account (e.g., funds transfers, monetary instrument sales and\n    check cashing transactions), and evaluate the filtering criteria\n    used to search the OFAC database, the timing of the search,\n    and documentation maintained evidencing the searches.\n\n\n\xe2\x80\xa2   If the bank uses an automated system to conduct searches,\n    assess the timing of when updates are made to the system, and\n    when the most recent OFAC changes were made to the system.\n    Also, evaluate whether all of the bank\xe2\x80\x99s databases are run\n    against the automated system, and the frequency upon which\n    searches are made. If there is any doubt regarding the\n    effectiveness of the OFAC filter, then run tests of the system\n\nFOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\nWas Hampered by Limited Documentation (OIG-06-033)                    Page 16\n\x0c  Appendix 3\n  Bank Secrecy Act/Anti-Money Laundering Examination Manual Excerpt\n  Core Examination Procedures\n\n\n      by entering test account names that are the same as or similar\n      to those recently added to the OFAC list to determine whether\n      the system identifies a potential hit.\n\n  \xe2\x80\xa2   If the bank does not use an automated system, evaluate the\n      process used to check the existing customer base against the\n      OFAC list and the frequency of such checks.\n\n  \xe2\x80\xa2   Review a sample of potential OFAC matches and evaluate the\n      bank\xe2\x80\x99s resolution and blocking/rejecting processes.\n\n  \xe2\x80\xa2   Review a sample of reports to OFAC and evaluate their\n      completeness and timeliness.\n\n  \xe2\x80\xa2   If the bank is required to maintain blocked accounts, select a\n      sample and evaluate that the bank maintains adequate records\n      of amounts blocked and ownership of blocked funds, that the\n      bank is paying a commercially reasonable rate of interest on all\n      blocked accounts, and that it is accurately reporting required\n      information annually (by September 30th) to OFAC. Test the\n      controls in place to verify that the account is blocked.\n\n  \xe2\x80\xa2   Pull a sample of false hits (potential matches) to check their\n      handling; the resolution of a false hit should take place outside\n      of the business line.\n\n  7. Identify any potential matches that were not reported to OFAC,\n     discuss with bank management, advise bank management to\n     immediately notify OFAC of unreported transactions, and\n     immediately notify supervisory personnel at your regulatory\n     agency.\n\n  8. Determine the origin of deficiencies (e.g., training, audit, risk\n     assessment, internal controls, management oversight,) and\n     conclude on the adequacy of the bank\xe2\x80\x99s OFAC program.\n\n  9. Discuss OFAC related examination findings with bank\n     management.\n\n10.   Include OFAC conclusions within the report of examination, as\n      appropriate.\n\n\n  FOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\n  Was Hampered by Limited Documentation (OIG-06-033)                    Page 17\n\x0cAppendix 4\nManagement Response\n\n\n\n\nFOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\nWas Hampered by Limited Documentation (OIG-06-033)                    Page 18\n\x0cAppendix 4\nManagement Response\n\n\n\n\nFOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\nWas Hampered by Limited Documentation (OIG-06-033)                    Page 19\n\x0cAppendix 5\nReport Distribution\n\n\nDepartment of the Treasury\n\nUnder Secretary, Office of Terrorism and Financial Intelligence\nAssistant Secretary, Terrorist Financing and Financial Crimes\nOffice of Strategic Planning and Performance Management\nOffice of Accounting and Internal Control\n\nOffice of Comptroller of the Currency\n\nComptroller\n\nOffice of Foreign Assets Control\n\nActing Director\n\nOffice of Management and Budget\n\nOIG Budget Examiner\n\n\n\n\nFOREIGN ASSETS CONTROL: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance\nWas Hampered by Limited Documentation (OIG-06-033)                    Page 20\n\x0c'